[PATCH 00/20] Prevent "nobody" from escalating privileges by using writeable binaries as a vehicle

[PATCH 00/20] Prevent "nobody" from escalating privileges by using writeable binaries as a vehicle

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2668 bytes --]

This patchset restricts dangerous file permissions, either SUID binaries or
executable binaries within /var/ipfire/ owned by "nobody", to their absolute
need-to-work basis. Hereby, we make privilege escalation attempts carried out
by "nobody" against IPFire-specific files harder, as there is no direct vehicle
to write in arbitrary shell code which is then executed later on.

Partially fixes: #12619

Peter Müller (20):
  GnuPG does not need to have a SUID bit set
  Core Update 157: remove SUID bit from /usr/bin/gpg
  /usr/bin/ping does not need a SUID bit if appropriate capabilities are
    set
  Core Update 157: Delete ssh-keysign binary
  DMA: do not ship a binary for creating mail boxes
  Core Update 157: Delete orphaned DMA mail box creation binary as well
  Core Update 157: /var/ipfire/fwhosts/icmp-types does not have to be
    executable
  Core Update 157: Ship changed iputils due to /usr/bin/ping changes
  backup: prevent /var/ipfire/backup/bin/backup.pl from being owned by
    nobody
  SquidGuard: Prevent binaries within /var/ipfire/urlfilter/bin/ from
    being owned by nobody
  Core Update 157: Apply changed permissions to
    /var/ipfire/urlfilter/bin/
  Squid: Prevent binaries within /var/ipfire/updatexlrator/bin/ from
    being owned by nobody
  Core Update 157: Apply changed permissions to
    /var/ipfire/updatexlrator/bin/
  OpenVPN: ovpn-leases.db for sure does not have to be executable
  Core Update 157: Apply changed permissions to
    /var/ipfire/ovpn/ovpn-leases.db
  Core Update 157: Remove executable bit less ugly
  NRPE: Prevent NRPE binary from being owned by "nobody"
  nagios-plugins: Prevent Nagios plugins from being owned by nobody
  Squid: cachemgr.cgi does not have to be owned (hence writeable) by
    nobody
  Core Update 157: Apply changed permissions to
    /srv/web/ipfire/cgi-bin/cachemgr.cgi

 config/rootfiles/common/dma                 |  2 +-
 config/rootfiles/core/157/filelists/iputils |  1 +
 config/rootfiles/core/157/update.sh         | 18 ++++++++++++++++++
 lfs/backup                                  |  7 ++++---
 lfs/gnupg                                   |  4 ++--
 lfs/iputils                                 |  7 +++++--
 lfs/nagios-plugins                          |  8 ++++++--
 lfs/nagios_nrpe                             |  7 +++++--
 lfs/openvpn                                 |  4 ++--
 lfs/squid                                   |  5 +++--
 lfs/squidguard                              |  3 ++-
 11 files changed, 49 insertions(+), 17 deletions(-)
 create mode 120000 config/rootfiles/core/157/filelists/iputils

-- 
2.26.2

[PATCH 01/20] GnuPG does not need to have a SUID bit set

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1252 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 lfs/gnupg | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lfs/gnupg b/lfs/gnupg
index f94948fe9..624855686 100644
--- a/lfs/gnupg
+++ b/lfs/gnupg
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2018  IPFire Team  <info(a)ipfire.org>                     #
+# Copyright (C) 2007-2021  IPFire Team  <info(a)ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -77,6 +77,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && ./configure --prefix=/usr --libexecdir=/usr/lib --disable-nls
 	cd $(DIR_APP) && make $(MAKETUNING)
 	cd $(DIR_APP) && make install
-	chmod -v 4755 /usr/bin/gpg
+	chmod -v 755 /usr/bin/gpg
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)
-- 
2.26.2

[PATCH 02/20] Core Update 157: remove SUID bit from /usr/bin/gpg

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 594 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/rootfiles/core/157/update.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/rootfiles/core/157/update.sh b/config/rootfiles/core/157/update.sh
index 09b8d8968..322e2ada2 100644
--- a/config/rootfiles/core/157/update.sh
+++ b/config/rootfiles/core/157/update.sh
@@ -103,6 +103,9 @@ ldconfig
 # Filesytem cleanup
 /usr/local/bin/filesystem-cleanup
 
+# Fix file permissions changed
+chmod -s /usr/bin/gpg
+
 # Start services
 /etc/init.d/sshd restart
 /etc/init.d/apache restart
-- 
2.26.2

[PATCH 03/20] /usr/bin/ping does not need a SUID bit if appropriate capabilities are set

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1540 bytes --]

Cc: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 lfs/iputils | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lfs/iputils b/lfs/iputils
index b1e2e2216..ae692df7a 100644
--- a/lfs/iputils
+++ b/lfs/iputils
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2018  IPFire Team  <info(a)ipfire.org>                     #
+# Copyright (C) 2007-2021  IPFire Team  <info(a)ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -71,9 +71,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
 	cd $(DIR_APP) && make ping tracepath
-	cd $(DIR_APP) && install -m 4755 ping /usr/bin
+	cd $(DIR_APP) && install -m 0755 ping /usr/bin
 	cd $(DIR_APP) && install -m 0755 tracepath /usr/bin
 
+	# Allow execution of /usr/bin/ping by other users than "root"
+	setcap cap_net_raw+ep /usr/bin/ping
+
 	# Some scripts expect ping in /bin/ping.
 	ln -svf ../usr/bin/ping /bin/ping
 
-- 
2.26.2

[PATCH 04/20] Core Update 157: Delete ssh-keysign binary

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 599 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/rootfiles/core/157/update.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/rootfiles/core/157/update.sh b/config/rootfiles/core/157/update.sh
index 322e2ada2..0f4c76346 100644
--- a/config/rootfiles/core/157/update.sh
+++ b/config/rootfiles/core/157/update.sh
@@ -106,6 +106,9 @@ ldconfig
 # Fix file permissions changed
 chmod -s /usr/bin/gpg
 
+# Delete scrubbed files
+rm -f /usr/lib/openssh/ssh-keysign
+
 # Start services
 /etc/init.d/sshd restart
 /etc/init.d/apache restart
-- 
2.26.2

[PATCH 05/20] DMA: do not ship a binary for creating mail boxes

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 691 bytes --]

This is only needed in case of bounces generated by locally emitted
messages. We neither store these, nor do we create mail boxes on a
firewall. Safe to drop.

Cc: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/rootfiles/common/dma | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/rootfiles/common/dma b/config/rootfiles/common/dma
index e98e67415..79cad8ece 100644
--- a/config/rootfiles/common/dma
+++ b/config/rootfiles/common/dma
@@ -1,5 +1,5 @@
 etc/alternatives/sendmail
-usr/lib/dma-mbox-create
+#usr/lib/dma-mbox-create
 usr/sbin/dma
 usr/sbin/dma-cleanup-spool
 usr/sbin/mailq
-- 
2.26.2

[PATCH 06/20] Core Update 157: Delete orphaned DMA mail box creation binary as well

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 625 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/rootfiles/core/157/update.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/config/rootfiles/core/157/update.sh b/config/rootfiles/core/157/update.sh
index 0f4c76346..8738a1e46 100644
--- a/config/rootfiles/core/157/update.sh
+++ b/config/rootfiles/core/157/update.sh
@@ -107,7 +107,9 @@ ldconfig
 chmod -s /usr/bin/gpg
 
 # Delete scrubbed files
-rm -f /usr/lib/openssh/ssh-keysign
+rm -f \
+	/usr/lib/dma-mbox-create \
+	/usr/lib/openssh/ssh-keysign
 
 # Start services
 /etc/init.d/sshd restart
-- 
2.26.2

[PATCH 07/20] Core Update 157: /var/ipfire/fwhosts/icmp-types does not have to be executable

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 592 bytes --]

See commit 183ccaa5a5c95f4cb2b639360f3c1465567577e9.

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/rootfiles/core/157/update.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/rootfiles/core/157/update.sh b/config/rootfiles/core/157/update.sh
index 8738a1e46..7ed02d690 100644
--- a/config/rootfiles/core/157/update.sh
+++ b/config/rootfiles/core/157/update.sh
@@ -105,6 +105,7 @@ ldconfig
 
 # Fix file permissions changed
 chmod -s /usr/bin/gpg
+chmod -x /var/ipfire/fwhosts/icmp-types
 
 # Delete scrubbed files
 rm -f \
-- 
2.26.2

[PATCH 08/20] Core Update 157: Ship changed iputils due to /usr/bin/ping changes

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 519 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/rootfiles/core/157/filelists/iputils | 1 +
 1 file changed, 1 insertion(+)
 create mode 120000 config/rootfiles/core/157/filelists/iputils

diff --git a/config/rootfiles/core/157/filelists/iputils b/config/rootfiles/core/157/filelists/iputils
new file mode 120000
index 000000000..361c28f71
--- /dev/null
+++ b/config/rootfiles/core/157/filelists/iputils
@@ -0,0 +1 @@
+../../../common/iputils
\ No newline at end of file
-- 
2.26.2

[PATCH 09/20] backup: prevent /var/ipfire/backup/bin/backup.pl from being owned by nobody

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1937 bytes --]

This is dangerous as nobody could write arbitrary contents to this file
and execute it afterwards.

Partially fixes: #12619

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 lfs/backup | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/lfs/backup b/lfs/backup
index 791d87adb..9d3e05735 100644
--- a/lfs/backup
+++ b/lfs/backup
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2018  IPFire Team  <info(a)ipfire.org>                     #
+# Copyright (C) 2007-2021  IPFire Team  <info(a)ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -30,7 +30,7 @@ THISAPP    = backup-$(VER)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = backup
-PAK_VER    = 1
+PAK_VER    = 2
 
 DEPS       =
 
@@ -56,10 +56,11 @@ dist:
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	-mkdir -p /var/ipfire/backup/bin
-	install -v -m 755 $(DIR_SRC)/config/backup/backup.pl /var/ipfire/backup/bin
+	install -v -m 755 -o root $(DIR_SRC)/config/backup/backup.pl /var/ipfire/backup/bin
 	install -v -m 644 $(DIR_SRC)/config/backup/include /var/ipfire/backup/
 	install -v -m 644 $(DIR_SRC)/config/backup/exclude /var/ipfire/backup/
 	chown nobody:nobody -R /var/ipfire/backup/
+	chown root:root -R /var/ipfire/backup/bin/
 	-mkdir -p /var/ipfire/backup/addons
 	-mkdir -p /var/ipfire/backup/addons/includes
 	-mkdir -p /var/ipfire/backup/addons/backup
-- 
2.26.2

[PATCH 10/20] SquidGuard: Prevent binaries within /var/ipfire/urlfilter/bin/ from being owned by nobody

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1355 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 lfs/squidguard | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lfs/squidguard b/lfs/squidguard
index eb13c41dd..d5eb30377 100644
--- a/lfs/squidguard
+++ b/lfs/squidguard
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2018  IPFire Team  <info(a)ipfire.org>                     #
+# Copyright (C) 2007-2021  IPFire Team  <info(a)ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -113,6 +113,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	/usr/bin/perl $(DIR_CONF)/urlfilter/makeconf.pl
 	touch /var/ipfire/urlfilter/settings
 	chown -R nobody:nobody /var/ipfire/urlfilter
+	chown -R root:root /var/ipfire/urlfilter/bin
 	chmod 755 /srv/web/ipfire/html/images/urlfilter
 	chmod 644 /srv/web/ipfire/html/images/urlfilter/*
 	chown -R nobody:nobody /var/urlrepo
-- 
2.26.2

[PATCH 11/20] Core Update 157: Apply changed permissions to /var/ipfire/urlfilter/bin/

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 580 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/rootfiles/core/157/update.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/rootfiles/core/157/update.sh b/config/rootfiles/core/157/update.sh
index 7ed02d690..f46a47572 100644
--- a/config/rootfiles/core/157/update.sh
+++ b/config/rootfiles/core/157/update.sh
@@ -106,6 +106,7 @@ ldconfig
 # Fix file permissions changed
 chmod -s /usr/bin/gpg
 chmod -x /var/ipfire/fwhosts/icmp-types
+chown -R root:root /var/ipfire/urlfilter/bin
 
 # Delete scrubbed files
 rm -f \
-- 
2.26.2

[PATCH 12/20] Squid: Prevent binaries within /var/ipfire/updatexlrator/bin/ from being owned by nobody

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1033 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 lfs/squid | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lfs/squid b/lfs/squid
index 33cb95ba1..18cb30ef7 100644
--- a/lfs/squid
+++ b/lfs/squid
@@ -171,6 +171,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	ln -fs /bin/false /var/ipfire/updatexlrator/autocheck/cron.weekly
 
 	chown -R nobody:nobody /var/ipfire/updatexlrator
+	chown -R root:root /var/ipfire/updatexlrator/bin
 	chown nobody.squid /var/updatecache
 	chown nobody.squid /var/updatecache/download
 	chown nobody.squid /var/updatecache/metadata
@@ -186,7 +187,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	chown nobody.nobody /srv/web/ipfire/html/proxy.pac
 	ln -sf /srv/web/ipfire/html/proxy.pac /srv/web/ipfire/html/wpad.dat
 
-	#Copy stylesheets for the errorpages
+	# Copy stylesheets for the errorpages
 	cp -f $(DIR_SRC)/config/proxy/errorpage-ipfire.css /var/ipfire/proxy/
 	cp -f /etc/squid/errorpage.css /var/ipfire/proxy/errorpage-squid.css
 
-- 
2.26.2

[PATCH 13/20] Core Update 157: Apply changed permissions to /var/ipfire/updatexlrator/bin/

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 598 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/rootfiles/core/157/update.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/rootfiles/core/157/update.sh b/config/rootfiles/core/157/update.sh
index f46a47572..c2fad638c 100644
--- a/config/rootfiles/core/157/update.sh
+++ b/config/rootfiles/core/157/update.sh
@@ -107,6 +107,7 @@ ldconfig
 chmod -s /usr/bin/gpg
 chmod -x /var/ipfire/fwhosts/icmp-types
 chown -R root:root /var/ipfire/urlfilter/bin
+chown -R root:root /var/ipfire/updatexlrator/bin
 
 # Delete scrubbed files
 rm -f \
-- 
2.26.2

[PATCH 14/20] OpenVPN: ovpn-leases.db for sure does not have to be executable

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1345 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 lfs/openvpn | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lfs/openvpn b/lfs/openvpn
index b026d515b..81ccc52bf 100644
--- a/lfs/openvpn
+++ b/lfs/openvpn
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>                     #
+# Copyright (C) 2007-2021  IPFire Team  <info(a)ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -89,7 +89,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	-mkdir -vp /var/ipfire/ovpn/n2nconf
 	-mkdir -vp /var/ipfire/ovpn/scripts
 	touch /var/ipfire/ovpn/ovpn-leases.db
-	chmod 700 /var/ipfire/ovpn/ovpn-leases.db
+	chmod 600 /var/ipfire/ovpn/ovpn-leases.db
 	chown -R root:root /var/ipfire/ovpn/scripts
 	chown -R nobody:nobody /var/ipfire/ovpn
 	chmod 700 /var/ipfire/ovpn/certs
-- 
2.26.2

[PATCH 15/20] Core Update 157: Apply changed permissions to /var/ipfire/ovpn/ovpn-leases.db

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 631 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/rootfiles/core/157/update.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/rootfiles/core/157/update.sh b/config/rootfiles/core/157/update.sh
index c2fad638c..e270ef338 100644
--- a/config/rootfiles/core/157/update.sh
+++ b/config/rootfiles/core/157/update.sh
@@ -108,6 +108,7 @@ chmod -s /usr/bin/gpg
 chmod -x /var/ipfire/fwhosts/icmp-types
 chown -R root:root /var/ipfire/urlfilter/bin
 chown -R root:root /var/ipfire/updatexlrator/bin
+chmod 600 /var/ipfire/ovpn/ovpn-leases.db
 
 # Delete scrubbed files
 rm -f \
-- 
2.26.2

[PATCH 16/20] Core Update 157: Remove executable bit less ugly

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 789 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/rootfiles/core/157/update.sh | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/config/rootfiles/core/157/update.sh b/config/rootfiles/core/157/update.sh
index e270ef338..d71c9688c 100644
--- a/config/rootfiles/core/157/update.sh
+++ b/config/rootfiles/core/157/update.sh
@@ -105,10 +105,12 @@ ldconfig
 
 # Fix file permissions changed
 chmod -s /usr/bin/gpg
-chmod -x /var/ipfire/fwhosts/icmp-types
+chmod -x \
+	/var/ipfire/fwhosts/icmp-types \
+	/var/ipfire/ovpn/ovpn-leases.db
+
 chown -R root:root /var/ipfire/urlfilter/bin
 chown -R root:root /var/ipfire/updatexlrator/bin
-chmod 600 /var/ipfire/ovpn/ovpn-leases.db
 
 # Delete scrubbed files
 rm -f \
-- 
2.26.2

[PATCH 17/20] NRPE: Prevent NRPE binary from being owned by "nobody"

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1516 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 lfs/nagios_nrpe | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lfs/nagios_nrpe b/lfs/nagios_nrpe
index a8b4b3676..260bcc810 100644
--- a/lfs/nagios_nrpe
+++ b/lfs/nagios_nrpe
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2018  IPFire Team  <info(a)ipfire.org>                     #
+# Copyright (C) 2007-2021  IPFire Team  <info(a)ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = nagios_nrpe
-PAK_VER    = 8
+PAK_VER    = 9
 
 DEPS       = nagios-plugins
 
@@ -99,5 +99,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	install -v -m 644 ${DIR_SRC}/config/backup/includes/nagios_nrpe \
 		/var/ipfire/backup/addons/includes/nagios_nrpe
 
+	# Prevent NRPE binary from being owned by "nobody"
+	chown root:root /usr/lib/nagios/check_nrpe
+
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)
-- 
2.26.2

[PATCH 18/20] nagios-plugins: Prevent Nagios plugins from being owned by nobody

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1497 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 lfs/nagios-plugins | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lfs/nagios-plugins b/lfs/nagios-plugins
index ad081d5f6..d35a94bbe 100644
--- a/lfs/nagios-plugins
+++ b/lfs/nagios-plugins
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2018  IPFire Team  <info(a)ipfire.org>                     #
+# Copyright (C) 2007-2021  IPFire Team  <info(a)ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = nagios-plugins
-PAK_VER    = 4
+PAK_VER    = 5
 
 DEPS       =
 
@@ -88,4 +88,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && make $(MAKETUNING)
 	cd $(DIR_APP) && make install
 	@rm -rf $(DIR_APP)
+
+	# Prevent Nagios plugins from being owned (and hence writeable) by "nobody"
+	chown root:root -R /usr/lib/nagios/plugins
+
 	@$(POSTBUILD)
-- 
2.26.2

[PATCH 19/20] Squid: cachemgr.cgi does not have to be owned (hence writeable) by nobody

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 745 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 lfs/squid | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lfs/squid b/lfs/squid
index 18cb30ef7..38675f3f3 100644
--- a/lfs/squid
+++ b/lfs/squid
@@ -149,7 +149,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	chown -R squid:squid /var/log/squid /var/log/cache /var/log/updatexlrator
 
 	cp /usr/lib/squid/cachemgr.cgi /srv/web/ipfire/cgi-bin/cachemgr.cgi
-	chown nobody.nobody /srv/web/ipfire/cgi-bin/cachemgr.cgi
+	chown root:root /srv/web/ipfire/cgi-bin/cachemgr.cgi
 
 	cp -f $(DIR_SRC)/config/updxlrator/updxlrator /usr/sbin/updxlrator
 	cp -f $(DIR_SRC)/config/updxlrator/checkup /var/ipfire/updatexlrator/bin/checkup
-- 
2.26.2

[PATCH 20/20] Core Update 157: Apply changed permissions to /srv/web/ipfire/cgi-bin/cachemgr.cgi

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 783 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/rootfiles/core/157/update.sh | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/config/rootfiles/core/157/update.sh b/config/rootfiles/core/157/update.sh
index d71c9688c..ce7b6f5bf 100644
--- a/config/rootfiles/core/157/update.sh
+++ b/config/rootfiles/core/157/update.sh
@@ -109,8 +109,12 @@ chmod -x \
 	/var/ipfire/fwhosts/icmp-types \
 	/var/ipfire/ovpn/ovpn-leases.db
 
-chown -R root:root /var/ipfire/urlfilter/bin
-chown -R root:root /var/ipfire/updatexlrator/bin
+chown -R root:root \
+	/var/ipfire/updatexlrator/bin \
+	/var/ipfire/urlfilter/bin
+
+chown root:root \
+	/srv/web/ipfire/cgi-bin/cachemgr.cgi
 
 # Delete scrubbed files
 rm -f \
-- 
2.26.2